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SPECIFICATION 



TO ALL WHOM IT MAY CONCERN: 

BE IT KNOWN that we, ATSUSHI FUJIOKA, a subject of Japan and 
residing at Shinjuku-ku, Tokyo, Japan, MASAYUKI ABE a subject of Japan 
and residing at Shinjuku-ku, Tokyo, Japan and FUMIAKI MIURA, a subject 
of Japan and residing at Shinjuku-ku, Tokyo, Japan have invented certain 
new and useful improvements in 

"ELECTRONIC VOTING METHOD AND SYSTEM AND 
RECORDING MEDIUM HAVING RECORDED THEREON 
A PROGRAM FOR IMPLEMENTING THE METHOD" 

and we do hereby declare that the following is a full, clear and exact 
description of the same; reference being had to the accompanying drawings 
and the numerals of reference marked thereon, which form a part of this 
specification. 
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ELECTRONIC VOTING METHOD AND SYSTEM AND 
RECORDING MEDIUM HAVING RECORDED THEREON 
A PROGRAM FOR IMPLEMENTING THE METHOD 



5 BACKGROUND OF THE INVENTION 

The present invention relates to an electronic voting system and 
method, for implementing secure secret voting in elections, 
questionnaire surveys or the like which are conducted through a 
telecommunication system. The invention also pertains to a 
10 recording medium having recorded thereon a program for 
implementing the electronic voting method. 

What is intended to mean by the word "voting" herein is a 
procedure in which voters each choose a predetermined number 
(one or more) of candidates from those offered to them and a 
15 counter counts the number of votes cast for each candidate. The 
candidates mentioned herein may be not only the names of 
candidates in elections but also items or headings of choice in 
statistic surveys. And the content of the vote is identification 
information representing the candidate chosen by the voter, such as 
20 a symbol, name, or heading. 

Since the secrete voting scheme provides security for the 
correspondence between the voters and the contents of their votes 
and lends itself to protecting the privacy of individuals for their 
thought and belief, the scheme can be used, for instance, in 
25 teleconferencing and questionnaire surveys by CATV or similar two- 
way communication. 

To implement secure secret voting by telecommunication, it is 
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necessary to prevent the impersonation of voters, double voting and 
a leakage of the content of the vote by wiretapping its message or 
text. As a solution to these problems, there have been proposed 
electronic voting schemes using the digital signature technique, for 
5 example, in Atsushi Fujioka, Tatsuaki Okamoto and Kazuo Ohta, "A 
practical secret voting scheme for large scale elections," Advances in 
Cryptology-AUSCRYPT' 92, Lecture Notes in Computer Science 718, 
Springer-Verlag, Berlin, pp.244-251 (1993) and Japanese Patent 
Application Laid-Open No. 19943/94 (laid open November 28, 1994) 

10 entitled "Electronic Voting Method and Apparatus." 

In this conventional method, a voter Vi encrypts the content of 
his vote (hereinafter referred to as the vote content) Vi by a key k t 
into a ciphertext jq, then randomizes it by a random number ^ to 
create a preprocessed text e { for getting a blind signature, then 

15 attaches his signature s { to the text e i? and sends the signed text to 
an election administrator A. The administrator A first verifies the 
validity of the voter Vj on the basis of the signature s i? then attaches 
his blind signature d 4 to the preprocessed text e i; and sends it back 
to the voter V t . The voter Vi retrieves a signature yi of the election 

20 administrator A for the ciphertext xj from the blind signature d { 
affixed to the preprocessed text e b and sends the adrriinistrator's 
signature yi to a counter C together with the ciphertext x { . The 
counter C makes sure that the ciphertext x { bears the administrator's 
signature y i? and publishes the ciphertext x { in its entirety. The 

25 voter V { sends the counter C the key kj used for the encryption of 
his vote content Vj when his ciphertext x { is found registered, and if 
not registered, the voter V 4 presents a protest against the counter C. 
The counter C uses his received key k { to decode or retrieve the vote 
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content Vi from the ciphertext x { , and counts the number of votes 
cast for each candidate. 

With this method, however, it is necessary for the voter Vi to 
confirm the registration of his cipherteXt jq by checking a list of 
5 ballots that is published after completion of the voting of all voters 
and to send the key kj to the counter C. Hence, the conventional 
system lacks usability from a voter's point of view. 

The following s are pertinent references, but do not solbe the 
above stated problems: Japanese Patent Application Laid Open Nos. 

10 6-223250 (August. 12, 1994), 6-176228 (June 24, 1994), 7-28915 
(Jan. 31, 1995), 10-74182 (March 17, 1998), 10-283420 (Oct. 23, 
1998), 1-177164 (July 13, 1989), and 10-74046 (March 17, 1998). 
D. Chaum, "Elections with Unconditionally-Secret Ballots and 
Disruption Equivalent to Breaking RSA", in Advances in Cryptology, 

15 EUROCRYPT '88, Lecture Notes in Computer Science 330, Springer- 
Verlag, Berlin, pp. 177-182 (1988), L. F. Cranor et al, "Design and 
Implementation of a Practical Security-Conscious Electronic Polling 
System", WUCS-96-02, Department of Computer Science, Washington 
University, St. Louis (Jan., 1996), M. A. Herschberg, "Secure 

20 Electronic Voting Over the World Wide Web", Masters Thesis in 

Electrical Engineering and Computer Science, Massachusetts Institute 
of Technology (1997). 

SUMMARY OF THE INVENTION 
25 It is therefore an object of the present invention to provide a 

simple and convenient electronic voting system and method which 
ensure voter privacy in making a complaint about a possible fraud 
by the administrator, have robustness against system dysfunction 
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and obviate the necessity for voters to send their encryption keys to 
the counter after voting. 

Another object of the present invention is to provide a 
recording medium on which there is recorded a program for 
5 implementing the above electronic voting method. 

In the present invention, each voter encrypts his vote content 
by a public key of the counter, then randomizes the encrypted vote 
content by a random number to create a preprocessed text, then 
attaches thereto his signature, and sends the signed text to the 

10 election administrator. The election administrator verifies the 

validity of the voter through utilization of his signature attached to 
the encrypted text, then attaches a blind signature to the 
preprocessed text, and sends back the signed preprocessed text to 
the voter. The voter excludes the influence of the random number 

1 5 from the blind signature attached to the preprocessed text to obtain 
administrator's signature information about the encrypted vote 
content, and sends the signature information as vote data to the 
counter together with the encrypted vote content. The counter 
publishes the vote data after making sure that the signature 

20 information on the encrypted vote content received from the voter 
bears the administrator's signature. After every voter confirms the 
registration of his encrypted vote content in the published list of 
vote data, the counter decrypts the encrypted vote content by a 
secret key of his own and counts the number of votes cast for each 

25 candidate. If his encrypted vote content is not registered in the list 
of vote content, the voter complains about it to the counter. It is 
also possible to provide a system configuration wherein a plurality 
of counters each hold part of a decryption key and all or a certain 
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number of them collaborate to decrypt all the encrypted vote 
contents. 

According to the present invention, the randomization of the 
vote content with the random number gives no chance for either of 
5 the election administrator and the counter to view the vote content, 
and hence it guarantees the secrecy of voting. 

The decryption of key is in the possession of the counter, and 
the voter needs not to communicate with the counter again for vote 
counting. 

10 With the system configuration wherein the plurality of counters 

work together to decrypt the encrypted vote content, the validity of 
the voter can be proved simply by sending the encrypted vote and 
the administrator's signature. That is, even if one or more of the 
counters commit fraud, the vote content will not be revealed unless 

15 all the counters or a certain number of them conspire. 

Furthermore, since encrypted vote contents are sent to each of 
the distributed counters, the intermediate results of the vote count 
will not be revealed, either, without a conspiracy by all or a certain 
number of counters-this provides increased fairness in the voting 

20 system. 

Besides, in the system wherein the encrypted vote contents can 
by decrypted by only a certain number of counters, even if some of 
the counters are dishonest or impossible to collaborate in decryption, 
it is possible to decrypt the vote contents; hence, the system is 
25 highly fault tolerant. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 is a block diagram illustrating the general configuration of 
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a voting system according to a first embodiment of the present 
invention; 

Fig. 2A is a table depicting a list of eligible voters; 
Fig. 2B is a table depicting a list of voters given the right to vote; 
5 Fig. 2C is a table depicting a list of ballots as received; 

Fig. 2D is a table depicting a list of ballots as counted; 
Fig. 2E is a table depicting a list of votes polled for each 
candidate; 

Fig. 3 is a block diagram showing an example of the functional 
10 configuration of a voter apparatus 100; 

Fig. 4 is a block diagram showing an example of the functional 
configuration of an election-administrator apparatus 200; 

Fig. 5 is a block diagram showing an example of the functional 
configuration of a counter apparatus 300; 
15 Fig. 6 is a diagram depicting a voting procedure; 

Fig. 7 is a block diagram illustrating the general configuration of 
a voting system according to a second embodiment of the present 
invention; 

Fig. 8A is a block diagram depicting an example of the 
20 functional configxxration of a distributed counter apparatus 300! in 
Fig. 7; 

Fig. 8B is a block diagram depicting an example of the functional 
configuration of each of distributed counter apparatuses 300 2 
through 300u in Fig. 7; 
25 Fig. 9 is a block diagram illustrating the general configuration of 

a voting system according to a third embodiment of the present 
invention; 

Fig. 10A is a block diagram depicting an example of the 



functional configuration of each of distributed counter apparatuses 
300! through 300^ in Fig. 9; and 

Fig. 1 OB is a block diagram depicting an example of the 
functional configuration of a distributed counter apparatus 300,j in 
5 Fig. 9. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

While the present invention will hereinafter be described as 
being applied to the voting in elections, the principles of the 
1 0 invention can also be applied intact to the voting in statistic surveys 
as referred to previously. 

EMBODIMENT 1 

Fig. 1 schematically illustrates the general configuration of the 

15 voting system according to the present invention. Apparatuses 100 
of T voters V 4 (where i=l,...,T) (which apparatuses 100 will 
hereinafter be referred to as voter apparatuses) are each connected 
to an apparatus 200 of an election administrator A (which apparatus 
200 will hereinafter be referred to as an administrator apparatus) 

20 and a apparatus 300 of a counter C (which apparatus 300 will 
hereinafter be referred to as a counter apparatus) via 
nonanonymous and anonymous communication channels 400 and 
500, respectively. When sending information to the administrator A 
via the nonanonymous communication channel 400, the voter Vi 

25 adds the information with sender information indicating who the 

sender is, for example, his name V t or identification information IDi. 
In the case of sending information to the counter C via the 
anonymous communication channel 500, the voter V i adds no sender 
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information. The counter C publishes a list of vote contents (a list of 
votes and a list of the number of votes polled for each candidate), 
which is accessible from all the voters. Fig. 3 depicts an example of 
configuration of the voter apparatus 100 in the voting system of Fig. 
5 1, Fig. 4 an example of the configuration of the administrator 

apparatus 200, Fig. 5 an example of the configuration of the counter 
apparatus 300, and Fig. 6 an example of a communication sequence 
in the voting system of the present invention. Fig. 2A exemplifies a 
list of eligible voters (hereinafter referred to as an eligible-voter 
10 list) 240A, Fig. 2B a list of voters authorized to vote (hereinafter 

referred to as an authorized-voter list) 240B, Fig. 2C a list of ballots 
as received by the counter C but not yet counted (which list will 
hereinafter be referred to as a ballot list) 320A, Fig. 2D a list of 
ballots counted (hereinafter referred to as a counted-ballot list) 
1 5 320B, and Fig. 2E a list of the numbers of votes polled for individual 
candidates (hereinafter referred to as a poll list) 320B. 

A description will be given of the voting procedure that the 
voter Vi carries out between he and the counter C after being 
authorized by the administrator A to vote. 
20 The following is a list of notations that are used in describing 

the invention below. 

x = | c (v, k PC ): encryption function of the counter C (x: ciphertext, 
v: vote content, k PC : public key of the counter) 

v = p c (x, k sc ): decryption function of the counter C (k sc : secret 
25 key of the counter) 

s = a^e): signature generating function of the voter V { (s: 
signature, e: encrypted vote content) 

e = £j(s): verification function for the signature of the voter Vj 
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d = o A (e): a blind signature generating function of the 
adrninistrator A (d: blind signature) 

z = £a( v ) : verification function for the signature of the 
administrator A (y: signature, z: ballot) 
5 e = o> A (z, r): randomizing function (r: random number) 

y = S A (d, r): derandomizing function (d: blind signature) 

The encryption function | c and decryption function p c of the 
counter C are used in known public key cryptosystems. Now, let it 
be assumed that the counter C keeps the secret key k sc in secrecy 
10 and publishes the public key k PC to the voters. The randomizing 
function co A (z, r) for the voter V} to blind the message m by the 
random number r (to preprocess the ballot for the attachment 
thereto of the administrator's blind signature) prior to requesting it 
and the derandomizing function 6 A (d, r) for removing the random 
1 5 component r from the received blind signature d to extract the 
signature y of the administrator A attached to the ballot are 
inevitably determined once the blind signature function o A of the 
adrninistrator A is determined. Such signature functions are, for 
example, an encryption function and a decryption function of the 
20 RSA cryptosystem (Ronald Rivest, Adi Shamir and Leonard Adleman, 
"A method for obtaining digital signatures and public-ky 
cryptosystems," Communications of the ACM, Vol. 21, No. 2, pp. 120- 
126 (Feb., 1978)), and the scheme for randomization with a random 
number as preprocessing for requesting the blind signature is 
25 described in detail in David Chaum, "Security without identification: 
Transaction systems to make big brother obsolete," Communications 
of the ACM, Vol. 28, No. 10, pp.1030-1044 (Oct., 1985). 

Turning next to Fig. 3, the configuration of the voter apparatus 
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100 will be described. In a storage part 121 there is prestored 
identification information IDj of voters and their names V { . Of the 
data that is generated in the apparatus 100, data to be used 
afterward is also stored in the storage part 121. An encryptor 110 
5 encrypts the vote content Vi (the candidate name CND h in this case) 
chosen by the voter Vj using the public key k PC of the counter C to 
obtain the ciphertext xj = i c (Vi, k PC ). A tag generator 111 generates 
a random number t b which is revealed only to the voter V { and is 
used as a tag in such a manner as described below. A concatenated 

10 112 concatenates the ciphertext x { with the tag t { and outputs z { = Xj 
II tj. The output Zi will hereinafter be referred to as a ballot. A 
random generator 120 generates a random number A 
randomizer 130 randomizes the ballot z { by the random number r { 
based on the randomizing function e { = (a A (2 if r^ to generate a 

15 preprocessed text e { . A signature generator 140 generates a 

signature Sj = ^(ej, ID}) that is attached to the preprocessed text e^ to 
indicate its origin Vj,. Data <e i? s { , ID^is sent to the adrninistrator 
apparatus 200 via the communication channel 400. The voter 
apparatus 100 is held connected to the administrator apparatus 200 

20 via the communication channel 400 until the former receives a blind 
signature dj from the latter. 

A derandomizer 150 removes the random component from the 
blind signature dj received via a transmitting-receiving part 190 
from the administrator apparatus 200 by the random number r } 

25 based on derandomizing function y i = b A (d { , r^, thereby obtaining y { 
as the signature of the administrator A for the ballot i x . A signature 
verification part 160 verifies the validity of the signature y { by 
making a check to see if a verification function zj = ^ A (Yi) holds. 
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Data <Zj, yi>is sent as vote data via a transmitting-receiving part 180 
to the counter apparatus 300. A list checking part 170 checks the 
ballot list 3 2 OA received via the transmitting-receiving part 180 
from the counter apparatus 300 in response to an access thereto 
5 from the voter apparatus 100. 

The administrator apparatus 200 depicted in Fig. 4 comprises: a 
storage part 240 for recording therein the eligible-voter list 240A 
(Fig, 2A) with the identification information IDi of eligible voters 
prestored and the authorized-voter list 240B (Fig. 2B) for storing the 

10 identification information IDi of voters authorized to vote; a voter 
checking part 210 for making a check to see if the identification 
information IDj received from the voter is placed on the eligible- 
voter list; a signature verification part 220 for verifying the validity 
of the voter's signature Sj attached to the preprocessed text ei 

1 5 received from the voter by making a check to see if a verification 
function ej = Ci(si) holds; a voter list generating part 260 for 
generating the authorized-voter list 240B (Fig. 2B) by writing data 
on authorized voters in a predeterrnined area of the storage part 
240; a transmitting-receiving part 250 for data exchange with each 

20 voter apparatus 100^; and a signature generator 230 for generating a 
blind signature d t = a^e^ to be attached to the preprocessed text 

As shown in Fig. 5, the counter apparatus 300 comprises: a 
signature verification part 3 10 for verifying the validity of the 
signature y 4 of the administrator A by making a check to see if z i = 

25 £ A ( v i) holds for the ballot z i 331(1 the administrator signature y { in 
the vote data <z i? y { > received via a receiving part 360 from the 
voter apparatus 100, through the use of a verification function ' 
£ A (yi); a storage part 320 which gives a serial number q t to the vote 
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data <Zi, yi>and places and stores it on the list of ballots (hereinafter 
referred to as a ballot list) 2 3 OA (Fig. 2C); a separation part 350 for 
separating the ciphertext jq from the ballot z- x = x 4 II tj; a decryptor 
330 for decrypting the ciphertext x } by the counter's secret key k sc 
5 based on the decryption function Pc to obtain \ x = p c (x i7 k sc ) as the 
vote content; and a counter 340 for counting the vote content v { . 
Further, the vote data corresponding to the serial number q of the 
ballot list 320A held in the storage part 320 is added with the 
decrypted vote content v } as depicted in Fig. 2D. The results of the 

10 vote count, that is, the numbers of votes polled for each candidate 
(CND h , where h = 1, 2, ...), are stored as the poll list 320B of Fig. 2E in 
the storage part 320. The contents of the ballot list 3 2 OA and the 
counted-ballot list 3 2 0B are sent via a transmitting-receiving part 
380 to the voter apparatus 100 that has accessed the counter 

1 5 apparatus 300. 

Turning next to Fig. 6, the voting procedure in the first 
embodiment will be described. 

Step 1: The voter Vj makes preparations for voting by the voter 
apparatus 100 (Fig. 3) as described below. 
20 Step 1-1: The voter Vi encrypts the vote content v { by the 

encryptor 110 using the public key k PC of the counter C and the 
encryption function l c to generate the ciphertext 
Xi =ic(Vi,k PC ). 

Then, the voter V { generates the tag t { by the tag generator 111 and 
25 concatenates it with the ciphertext Xj by the concatenator 112 to 
obtain the ballot 

Zi =Xj II tj. 

The tag tj is, for instance, a random number and only the voter Vj 
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knows that it is his own tag. 

Step 1-2: The voter Vj generates the random number v- 1 by the 
random generator 120, and randomizes the ballot z { by the 
randomizer 130 using the random number r { to create the 
5 preprocessed text 

ej = co A (zi, rj). 

Step 1-3: The voter Vj generates, by the signature generator 
140, the signature Si for the preprocessed text ei and the 
identification information IDi: 
10 St =a i (e i ,ID i ). 

After this, the voter Vi sends the data <e}, s } , IDj>to the 
aclministrator apparatus 200. 

Step 2: The aclministrator apparatus 200 (Fig. 4) has prestored 
therein the relationship between the registered eligible voters' 

15 names Vj and their identification information IDj as the eligible- 
voter list 240A (Fig. 2A), and has the authorized-voter list 240B (Fig. 
2B) in which the names Vj or identification information IDj of the 
voters authorized to vote are written by the voter list generating 
part 260. Since the authorized-voter list is published after the 

20 voting of all voters, the names Vi or identification information IDi of 
the authorized voters are recorded, depending on whether they 
agree or disagree to reveal their names to the public. This is 
predetermined prior to the start of the actual voting. The following 
description will be given on the assumption that the identification 

25 information IDi of the voters Vj is written in the authorized-voter 
list 240 B (Fig. 2B). At the start of the voting procedure there is 
nothing recorded in the voter list. The administrator A performs by 
his apparatus 200 the following procedure to give the eligible voters 
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the right to vote. 

Step 2-1: The administrator A makes sure that the voter is 
eligible, by making a check in the voter checking part 210 to see if 
his identification information IDj is contained in the eligible-voter 
5 list 240A (Fig. 2A). If not, the administrator A rejects the 
authorization of the voter Vj. 

Step 2-2: The administrator A ascertains whether the voter V } 
has been authorized to vote, by making a check in the voter 
checking part 210 to see if his identification information IDj has 
10 already been written in the authorized-voter list 240B (Fig. 2B). If 
the identification information IDj is found in the authorized-voter 
list 240B, the administrator A regards the voting by the voter V i as 
double voting and rejects the authorization. 

Step 2-3: If the identification information ID { is not found in the 
15 authorized-voter list 240B, then the administrator A makes a check 
to determine in the signature verification part 220 whether s i? ej 
and IDj satisfy the following equation: 

If so, the administrator A provides ej to the signature generator 230 
20 to calculate the signature d { : 
di =a A (ei). 

Then the administrator A sends the signature dj via the transmitting- 
receiving part 250 to the voter apparatus 100 and, at the same time, 
adds the identification information ID { of the voter V i by the voter list 
25 generating part 260 to the authorized-voter list 240B (Fig. 2B) in the 
storage part 240. 

Step 2-4: After all voters vote, the administrator A publishes the 
authorized-voter list 240B and the number of voters who actually 
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voted. For this publication, the administrator A preinforms all the 
eligible voters that they are allowed to access the authorized-voter 
list 240B in the storage part 240 of the administrator apparatus 200 
via an arbitrary communication channel within a certain period 
5 beginning on a predetermined date and time. The access to the 
authorized-voter list 240B can be made, for example, using a 
predetermined telephone number. The list 240B may also be 
published at a predetermined address on the Internet. 
Step 3: The voter Vi generates the ballot and its signature information 
10 by the voter apparatus 100 (Fig. 1) as described below. 

Step 3-1: The voter Vj inputs dj and r { into the derandomizer 150 
to obtain the following signature information yj on the ballot z { : 
Yi =6 A (di,ri). 

Step 3-2: The voter Vj makes sure that yj is the signature of the 
15 administrator A, by making a check in the signature verification part 
160 to see if the following equation holds: 

Zi=u(yi). 

If not, the voter Vj points out fraud by the administrator A, 
presenting the data <ei, di>. 

20 Step 3-3: If it is verified that the signature is valid, the voter V{ 

sends data <z i? yj>via the transmitting part 180 to the counter 
apparatus 300 over the anonymous communication channel 500. 
Step 4: The counter C collects ballots by the counter apparatus 300 
(Fig. 5) as described below. 

25 Step 4-1: The counter C receives the vote data <z i? y^from the 

voter via the receiving part 360, and makes sure that y { is a valid 
signature on the ballot z u by making a check in the signature 
verification part 310 to see if the following equation holds: 
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Zi =u(yi)- 

If the equation holds, the counter C gives the ballot z { and its 
signature y i a serial number common q thereto and places them as 
vote data <q, z i7 y t ) on the ballot list 2 3 OA (Fig. 2C) by a vote list 

5 generating part 370. 

Step 4-2: After all voters vote, the counter C publishes the ballot 
list 320A by allowing an access to the storage part 320 via the 
transmitting-receiving part 380. This list is supposed to be accessible 
from all the voters. As is the case with the authorized-voter list 240B, 

1 0 the counter C preannounces the period and place for publishing the 
ballot list 320A. 

Step 5: The voter W { conducts the following verification by the voter 
apparatus 100. 

Step 5-1: The voter W i accesses the storage part 320 of the 

1 5 counter apparatus 300 via the transmitting-receiving part 180, then 
receives the contents of the ballot list 320A, and makes a check in the 
list checking part 170 to see if the number of ballots placed on the 
ballot list 3 2 OA is equal to the number of voters published in step 2- 
4. If not, the voter Vj publishes the serial number q and the random 

20 number r 4 to point out fraud by the administrator A. 

Step 5-2: The voter Vi makes a check in the list checking part 
170 to see if his ballot ^ is contained in the ballot list 320A. This can 
be done by verifying whether the ballot z i itself is contained in the 
list 320A, or whether the tag tj in z x = Xj II tj is his tag. If the ballot z { 

25 is not found on the list 600, then the voter V { points out fraud of the 
counter C, presenting the vote data <z b y 4 >. 

Step 6: The counter C performs the following vote counting by the 
counter apparatus 300. 
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Step 6-1: When no allegation of fraud is received via the 
receiving part 360 from the voter V i within a predetermined period 
of time after the reception of his ballot z i and signature the counter 
C separates the cipher text x { from the ballot Zi = Xj II y { in the 
5 separation part 350, and decrypts it by the decryptor 330 using the 
secret key k sc to detect the vote content Vj: 

Vi = Pc (Xi, k sc ). 

Then the counter C verifies whether the vote content Vj is valid or not, 
that is, whether it correctly represents the name or symbol of any one 
10 of the candidates offered in advance. If not so, the vote is regarded as 
invalid. 

Step 6-2: The counter C counts the vote contents Vj in the ballot 
list 320A of Fig. 2C by means of the counter 340 to obtain the number 
of votes polled for each candidate, then publishes the results of the 

15 vote count as the poll list 3 20B of Fig. 2E and, at the same time, adds 
vj to a q-th piece of data <x { , t i; yj as depicted in Fig. 2D. The results 
of the vote count are published together with the ballot list 320A. 
Step 7: The voter Vi verifies the validity of the manipulation or 
management of the counter C by means of the voter apparatus 100. 

20 That is, the voter checks whether all vote contents have been 

contained in the ballot list 3 2 OA of Fig. 2C, and whether the ciphertext 
Xj and the vote content Vi of the voter correspond to each other. 

Incidentally, Step 5 may be omitted, and the publication of the 
poll list 3 2 0B in Step 6-2 and Step 7 may also be omitted. 

25 In this embodiment, since the voter Vj encrypts the vote content 

vj into xj = l c (Vi, k PC ) by the encryption function ^ c of the counter C 
and sends him the vote data <z x , y { >, the counter C could view the vote 
content Vj by decrypting the ciphertext x t in the ballot Zj with the 
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decryption function Vi = pc(x i5 k sc ) through the use of the secret key 
k PC of the counter C even before the publication of the ballot list 3 2 OA 
in step S4-2. In other words, the counter C is in a position to get 
information such as the trend of voting or intermediate results of the 
5 vote count prior to the publication of the ballot list 3 2 OB and hence 
leak the information to a particular person prior to the publication of 
the official results of the vote count-this is undesirable in terms of 
the fairness of elections. Besides, according to the first embodiment of 
the invention, if the counter apparatus 300 suffers a breakdown, the 

10 vote count cannot be completed on schedule in some cases. A 

description will be given below of another embodiment of the present 
invention which is intended to obviate these problems by the 
participation of plural distributed counters in the decryption and vote 
counting processes. 

1 5 The distributed counters use the same crypto-functions (the 

encryption function | c and the decryption function p c ) as in the 
public-key cryptosystem. However, the decryption process involves 
the use of a distributed secret key k S q of every distributed counter, 
or requires a certain number (a threshold value U t (where 2 <U t <U) 

20 of people to work together. The crypto-functions mentioned above 
are encryption and decryption functions of, for instance, the ElGamal 
cryptosystem (Taher ElGamal, "A public key cryptosystem and a 
signature scheme based on discrete logarithms," IEEE Transactions on 
Information Theory, Vol. IT-31, No. 4, pp.469-472 (July, 1985)). The 

25 scheme of decryption by the distributed counters using such crypto- 
functions and the scheme using the threshold value are described in 
detail in Yvo Desmedt and Yale Frankel, "Threshold cryptosystems," in 
Advances in Cryptology-CRYPTO'89, Lecture Notes in Computer 
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Science 435, Springer-Verlag, Berlin, pp.307-315 (1990). 

EMBODIMENT 2 

Fig. 7 schematically illustrates the general configuration of a 
5 voting system according to a second embodiment of the present 

invention. This embodiment is identical with the first embodiment in 
that every voter apparatus 100 is connected to the administrator 
apparatus 200 through the communication channel 400 and to one 
counter apparatus through the anonymous communication channel 

10 500, but structurally differs in that a plurality of counter apparatuses 
(hereinafter referred to as distributed counter apparatuses) 300j 
(where j = 1, U). The distributed counter apparatus 300! decrypts 
ciphertexts jq from all voters to generate x i2 and sends it to the next 
distributed counter 300 2 ; similarly, a j-th distributed counter 

15 apparatus 300j decrypts decrypted data x^.j received from the 
immediately preceding distributed counter apparatus 300^ to 
generate decrypted data x^ and sends it to the next distributed 
counter apparatus 300 j+ i. The vote content v { is obtained for the first 
time with the decryption process by the last distributed counter 

20 apparatus 300u. As is the case with the first embodiment, the 

identification information ID { of the voter Vj is attached to the data 
that is sent from the voter apparatus lOOj to the administrator 200 
via the communication channel, but no identification information IDi 
accompany the data that is sent to the distributed counter apparatus 

25 300! via the anonymous communication channel 500. 

This embodiment is identical with the first embodiment in the 
communication sequence, the configuration of each voter apparatus 
100 and the configuration of the administrator apparatus 200 except 
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that the counter apparatus 300 is substituted with a plurality of 
distributed counter apparatuses. Furthermore, this embodiment is 
common to the first embodiment in that each voter encrypts the vote 
content v i by x { = C(v i , k PC ) through the use of the common public key 
5 k PC . The counters C x to Qj each have one of U partial secret keys k scl , 
k SC2 , k scu into which the secret key k sc is split, and perform the 
decryption process using them, respectively, but no distributed 
counter apparatus 300j can decrypt the vote content v 4 from the 
ciphertext Xj on a stand-alone basis. In the case of employing the 

1 0 aforementioned ElGamal cryptosystem, the partial secret keys k scl , 
ksc2> •••> kscu can be set such that the sum total of their values equals 
the value of the secret key k sc corresponding to the public key k Pc . 
This is described in the aforementioned Desmedt-Frankel literature. 
Fig. 8A depicts the configuration of the first distributed counter 

15 apparatus 300! that collects ballots from the voter apparatuses 100 1 
to 100 T . The distributed counter apparatus 300x comprises a 
signature verification part 310, a storage part 320, a counter 340, an 
separation part 340, a partial decryption part 331, a receiving part 
360, a vote list generating part 370, and a transmitting-receiving part 

20 380. The first distributed counter apparatus 300i differs from the 
counter apparatus 300 in the first embodiment of Fig. 5 in the point 
described below. First, the partial decryption part 331 generates 
decrypted intermediate data x {1 by performing a description process 
x ii = Pci( x i> k S ci) on the ciphertext >q through the use of the partial 

25 secret key k scl , the decrypted intermediate data x a being sent to the 
next distributed counter apparatus 300 2 . Second, the counter 340 
receives the decrypted vote content v } from the last distributed 
counter apparatus 300u and counts the votes. The second through 
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U-th distributed counter apparatuses 3 00 2 to 300u are common in 
that they have only a partial decryption part 331 as shown in Fig. 8B, 
in which the j-th distributed counter apparatus (where 2 ^ j =s U) is 
exemplified. The j-th distributed counter apparatus 300j performs a 
5 decryption process pq(Xij-i, kscj) of decrypted intermediate data x iyL 
from the preceding-stage distributed counter apparatus 300^ to 
generate decrypted intermediate data and sends it to the next- 
stage distributed counter apparatus 300 j+ i. The distributed counter 
apparatus 300u of the last stage obtains the ultimate decrypted result 
1 0 xju as the vote content Xj = x iV by a decryption process Xiu = p C u(Xiu-i> 
k scu ), and sends the vote content Vj to the first distributed counter 
apparatus 300!. 

A description will be given of the voting procedure in the second 
embodiment. This embodiment is common to the first embodiment in 

15 the procedure from Steps 1 through 5. However, it is the first 

distributed counter apparatus 300! that receives the vote data <Zj, 
from each voter apparatus 100j. The second embodiment modifies 
Steps 6 and 7 in the first embodiment as described below, and U 
represents the number of distributed counter apparatuses. 

20 Step 6: The distributed counter q (where j = 1, U) performs the 
vote counting process by the distributed counter apparatus 300j as 
described below. 

Step 6-1: The first distributed counter apparatus 300! separates 
Zi = Xj II ti in the vote data <z i; y^from each voter apparatus 100j 

25 (where i = 1, T) by the separation part 350 into the ciphertext x { 
and the tag and performs the following decryption process in the 
partial decryption part 330 using the partial secret key k scl to obtain 
the decrypted intermediate data x tl : 
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Xii = Pci(*i> k scl ). 
Then the distributed counter apparatus 300! sends the decrypted 
intermediate data x a to the second distributed counter apparatus 
3002. 

5 Thereafter, the j-th distributed counter apparatus 300j similarly 

performs the following decryption process of decrypted intermediate 
data Xij.x from the (j-l)th distributed counter apparatus 300^ in the 
partial decryption part 330 using the partial secret key k SCj : 

Xij =p S j(xi, k SCj _i), 
1 0 and sends the data to the next (j + 1 ) th distributed counter 
apparatus 300 j+1 . 

The last U-th distributed counter apparatus 300u obtains the 
vote content vj by performing the following description process of 
decrypted intermediate data x iU4 from the (U-l)th distributed 
15 counter apparatus 300^ in the partial decryption part 330 using the 
partial secret key k scu : 

Vi =x iU = p cu ( x i> k scu)- 
The U-th distributed counter apparatus 300U makes a check to see if 
the thus obtained vote content Vj is valid. 
20 Step 6-2: The U-th distributed counter Qj counts the vote 

contents Vj by the counter 340, then publishes the results of the vote 
count and, at the same time, adds the vote contents Vi to the poll list 
320B. 

Step 7: The voter Vj verifies the validity of the manipulation or 
25 management of the U-th distributed counter apparatus 300u C by 
means of the voter apparatus 100^ 

As described above, according to the second embodiment, the 
plurality of distributed counter apparatuses 300! to 300u sequentially 



perform the decryption process and the distributed counter apparatus 
300u ultimately obtains the vote content v { ; hence, no distributed 
counter is allowed to view the vote content Vj singly prior to the vote 
counting. 

THIRD EMBODIMENT 

Fig. 9 illustrates the general configuration of a voting system 
according to a third embodiment of the present invention. In this 
embodiment each voter apparatus 100j (where i = 1, T) is made 
connectable to all the distributed counter apparatuses 3 00 1 to 300,j 
through the communication channels 500, and sends its generated 
vote data <z h yj>to all of the distributed counter apparatuses 300! to 
300u. The configurations of each voter apparatus lOOi and the 
administrator apparatus 200 are the same as in the first and second 
embodiments. 

The first to (U-l)th distributed counter apparatuses 300! to 
300^! are all identical in configuration. Fig. 10 A depicts the 
configuration of the j-th distributed counter apparatus 300j, which 
comprises: a signature verification part 310 for verifying the validity 
of the signature y i for the ballot z { in the vote data <z i? y^received 
from each voter apparatus 300^ a separation part 350 for separating 
the ciphertext Xi from the ballot Zj; and a partial decryption part 331 
for perfoi-ming the description process = pq(Xi, k SCj ) of the 
ciphertext x { by the partial secret key k SCj to obtain the decrypted 
intermediate data x^, which is sent to a predetennined one of the 
distributed counter apparatuses, in this example, 300^ As depicted 
in Fig. 10B, the distributed counter apparatus 300U additionally 
comprises, in the configuration of Fig. 10A, a storage part 320, a total 
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decryption part 332, a counter 340, a vote list generating part 370 
which gives a serial number q to each of the vote data <z b V}> received 
from all of the distributed counter apparatuses 300 1? 300u and 
writes it in the ballot list 3 2 OA, and a transmitting-receiving part 380 
5 which allows the voter apparatuses to access the ballot list 3 2 OA and 
the poll list 320B. In the storage part 320 there are made up a ballot 
vote list 3 2 OA on which to place vote data received from the other 
distributed counters 300! to 300U-! and a poll list 320B on which to 
place the total number of ballots polled for each candidate. The total 

1 0 decryption part 332 performs the decryption process Vj = Pc( x ii> — > 
Xju), using the decryption function p c , for the decrypted intermediate 
data x it to x iLI generated in the respective distributed counter 
apparatuses 3 00 x to 300u to obtain the vote content v i? and provides 
it to the counter 340. The counter 340 verifies the validity of the 

1 5 vote content Vj and, if valid, adds 1 to the number of ballots polled for 
the corresponding candidate in the poll list 3 2 0B in the storage part 
320. At the same time, the counter 340 adds vj to the corresponding 
vote data on the ballot list. 

This embodiment also inhibits any of the distributed counter 

20 apparatuses from decrypting the vote content vj from the ciphertext 
x t on a stand-alone basis, and hence it ensures fraud-free, fair 
elections. 

MODIFICATION 1 

25 In the second and third embodiments the vote content Vj cannot 

be decrypted from the ciphertext xj without collaboration of all the 
distributed counters Q to Qj. This embodiment modifies the above- 
described decryption process by requiring at least L (where 2 <. L <, U- 



1) distributed counter apparatuses to work together to decrypt the 
vote content v } from the ciphertext jq, using the public key k c . This 
can be done, for example, by the application of the aforementioned 
Desmedt-Frankel scheme to the configuration of the partial decryption 
part 331. This method will be described below as being applied to the 
second embodiment (Figs. 7, 8 A and 8B). 

For example, when any one 300^ of the distributed counter 
apparatuses 300 2 through 300u suffers a breakdown, the distributed 
counter apparatus 300^ sends the decrypted intermediate data x^ 
to the distributed counter apparatus 300 j+ i, bypassing the failing one 
300j. The distributed counter apparatus 300j +1 decrypts the received 
decrypted intermediate data x^ by performing the decryption 
process x ij+1 = p c (Xi, k SCj+1 ) with the partial secret key k SCj+1 to obtain 
the decrypted intermediate data x ij+1 , and passes it to the next 
distributed counter apparatus 300 j+2 . The method for generating the 
secret key for use in this case is described, for example, in the 
aforementioned Desmedt-Frankel literature. Assume that all the 
distributed counter apparatuses 300! through 300u have the 
configuration depicted in Fig. 8A. In this instance, even if the first 
distributed counter apparatus 300i breaks down, the distributed 
counter apparatus 300 2 of the next stage substitutes therefor to 
receive the vote data <z { , y^from the voter apparatuses 100 1 to 100 T . 
The distributed counter apparatus 300u of the final stage sends the 
decrypted vote content v t to the distributed counter apparatus 300 2 
that carries out the required operation in behalf of the failing 
distributed counter apparatus 300!. Thus this embodiment enables 
the vote counting to carried out regardless of which distributed 
counter apparatus breaks down. 
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MODIFICATION 2 

With the application of the Desmedt-Frankel scheme to the 
partial decryption part 331 and the total decryption part 332, it is 
5 also possible, in the third embodiment (Figs. 9, 10A and 10B), to 

decrypt the vote content v 4 if the decrypted intermediate data by at 
least L (where 2 =s L <, U-l) distributed counter apparatuses is 
obtainable. For example, when the distributed counter apparatuses 
300x through 300u_ L break down, decrypted intermediate data x i0 . L+1 

10 to from the remaining distributed counter apparatuses 300u_ L+1 to 
300u are provided to the total decryption part 332 of the distributed 
counter apparatus 300u for the decryption of the vote content Vj 
through the decryption process v s = Pc (x iU . L+1 , Xnj-L+2, x iLJ ) of the 
received pieces of decrypted intermediate data. The counter 340 

15 verifies the validity of the thus decrypted vote content vj and, if 
valid, adds 1 to the number of polls voted for the candidate 
corresponding to v A on the poll list 320B in the storage part 320. 

With the application of the configuration of Fig. 10B to all of the 
distributed counter apparatuses 300! to 300u in this modification, 

20 even if a total of U-L distributed counter apparatuses break down, it 
is possible to count the votes by causing one of the remaining 
distributed counter apparatuses to perform the same operation as 
described previously with reference to Fig. 10B. 

25 Figs. 3 to 5, 8A, 8B, 10A and 10B depict the functional 

configurations of the respective apparatuses; their functions each can 
be implemented into operation by means of a controller, or they can 
be executed wholly or partly by a computer. 



EFFECT OF THE INVENTION 

As described above, the present invention encrypts the vote 
content v { with the public encryption key k PC of the counter, and 
hence it obviates the necessity for the voter to send a key to the 
counter for the decryption of the vote content vj. 

With plural counters, the vote counting cannot be started without 
the consent of them all. 

In the case where a fixed number of counters can count the 
votes, it is possible to perform the vote counting by the collaboration 
of a certain number of valid or normal counter apparatuses, 
protecting the vote counting from the influence of fraud or failing 
apparatus. 

Moreover, an alteration of the vote content by the counter could 
be detected by checking the published list of vote contents. That is, 
when having found that his vote has not been counted, the voter 
needs only to point out or allege fraud by publishing the encrypted 
ballot Xj and the administrator's signature y im In this instance, when 
the number of dishonest counters is fixed, the voter privacy is 
protected. 

Besides, according to the present invention, since the vote content 
is sent after being encrypted with the encryption key, it is possible to 
prevent a fraud that, at the time of collecting ballots, one of the plural 
counters leaks the intermediate result of vote count to affect the 
election. 

As will be appreciated from the above, the present invention 
provides increased convenience to voters through utilization of the 
counter's encryption key and, by using plural counters, protects 
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against the fraud or leaking the intermediate result of the vote count 
to affect the election. 

It will be apparent that many modifications and variations may 
be effected without departing from the scope of the novel concepts of 
the present invention. 
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WHAT IS CLAIMED IS: 

1. An electronic voting method in which voters obtain 
authorization to vote from an adrninistrator and send their vote data 
to a counter apparatus, and said counter apparatus performs vote 
counting, said method comprising the steps wherein: 

(a) each of said voters encrypts the vote content corresponding to 
his chosen candidate by an encryptor with a public key of said 
counter apparatus, and 

randomizes information containing said encrypted vote 
content by a random number to create a preprocessed text, and sends 
it to an adrninistrator apparatus; 

(b) said administrator apparatus verifies the validity of each 
voter apparatus, and 

inputs said received preprocessed text into a signature 
generator to generate a blind signature for said preprocessed text, and 
sends it back to said each voter apparatus; 

(c) said each voter excludes the influence of said random number 
from said blind signature for said received preprocessed text, and 

obtains a signature of said adrninistrator for said information 
containing said encrypted vote content, and sends said adrninistrator 
signature and said information containing said encrypted vote 
content, as vote data, to said counter apparatus; and 

(d) said counter decrypts said information containing said 
encrypted vote content, by a decryptor with a secret key 
corresponding to said public key, to obtain said vote content, and 
counts the number of votes polled for the candidate corresponding to 
said vote content. 
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2. The electronic voting method of claim 1, which comprises the 
additional steps: (d-0) wherein said counter inputs said encrypted 
vote content and said administrator signature into a signature 
verification part to make sure that said preprocessed text is signed by 
said administrator, and publishes a list of vote data containing 
encrypted vote contents; and (d-1) wherein said each voter makes 
sure that his encrypted vote content is placed on said list. 

3. The electronic voting method of claim 1 or 2, wherein: said 
information randomizing step (a) comprises the additional steps 
wherein said each voter generates a tag that only he knows, and step 
wherein said each voter concatenates said encrypted vote content 
with said tag and randomizes it with said random number; and said 
step (d-1) comprises the additional step wherein said each voter 
separates said tag from said vote data on said list and makes a check 
to see if said tag is his. 

4. The electronic voting method of claim 1 or 2, wherein: said 
step (b) comprises the additional step wherein said administrator 
publishes, as a list of voters, a list of information representing voters 
given said blind signature; and said step (c) comprises the additional 
step wherein said each voter makes a check to see if information 
representing him is contained in said list of voters. 

5. The electronic voting method of claim 1 or 2, wherein said step 
(d) comprises the additional step wherein said counter publishes the 
result of counting of said vote content. 
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6. The electronic voting method of claim 1 or 2, wherein: in said 
step (a) said each voter sends said preprocessed text to said 
administrator apparatus together with voter identification 
information; in said step (b) said administrator verifies the validity of 
said each voter on the basis of said voter identification information; 
and in said step (c) said each voter sends said vote data anonymously 
to said counter apparatus. 

7. The electronic voting method of claim 1 or 2, wherein: said 
step (a) comprises the additional step wherein said each voter 
generates his signature for said vote content, and sends said his 
signature to said administrator apparatus together with said vote 
content; and said step (b) comprises the additional step wherein said 
administrator apparatus verifies the validity of said voter signature 
for said vote content. 

8. The electronic voting method of claim 1, wherein: said counter 
apparatus has a series connection of a plurality of distributed counter 
apparatuses, each placed under the control of a different counter; said 
secret key is split into partial secret keys assigned to said plurality of 
distributed counter apparatuses, respectively; in said step (c) said 
each voter sends said vote data to that one of said plurality of 
distributed counter apparatuses which is connected to one end of said 
series connection; and said step (d) comprises the additional step 
wherein said plurality of counter apparatuses sequentially decrypt 
information containing said encrypted content in their decryption 
parts with said partial secret keys, and said vote content is obtained 



by the decryption processing in said distributed counter apparatus at 
the last stage of said series connection. 

9. The electronic voting method of claim 1, wherein: said counter 
apparatus has a plurality of distributed counter apparatuses, each 
placed under the control of a different counter; said secret key is split 
into partial secret keys assigned to said plurality of distributed 
counter apparatuses, respectively; in said step (c) said each voter 
sends said vote data to all of said plurality of distributed counter 
apparatuses; and said step (d) comprises the additional step wherein 
said plurality of counter apparatuses individually decrypt said 
encrypted content in their decryption parts with said partial secret 
keys to generate decrypted intermediate data, and said decrypted 
intermediate data is sent from said distributed counter apparatuses to 
a predetermined one of them and decrypted into said vote content. 

10. The electronic voting method of claim 8 or 9, wherein said 
decryption processing is a thresholding decryption processing that 
requires a predetermined plural number of said distributed counter 
apparatuses to work together. 

11. An electronic voting system which comprises a plurality of 
voter apparatuses, an administrator apparatus connected to each of 
said voter apparatuses through a nonanonymous communication 
channel, and a counter apparatus connected to each of said voter 
apparatuses through an anonymous communication channel, wherein: 

said each voter apparatus comprises: 

an encryptor for encrypting a vote content of a voter of said each 



-33- 



voter apparatus with a public key of said counter apparatus to 
generate an encrypted vote content; 

a random generator for generating a random number; 

a randomizer for randomizing said encrypted vote content with 
said random number to create a preprocessed text; 

means for sending said preprocessed text to said administrator 
apparatus; 

a derandomizer for excluding the influence of said random 
number from a blind signature of said administrator apparatus, 
received therefrom, for said preprocessed text to obtain an 
administrator signature of said administrator apparatus for 
information containing said encrypted vote content; and 

means for sending said administrator signature and said 
information containing said encrypted vote content, as vote data, to 
said counter apparatus; 

said administrator apparatus comprises: 

a blind signature generator for generating said blind signature 
for said preprocessed text; and 

means for sending said blind signature to said each voter 
apparatus; and 

said counter apparatus comprises: 

a decryptor for decrypting said information containing said 
encrypted vote content in said vote data with a secret key 
corresponding to said public key to obtain said vote content; and 

a counter for performing vote counting for each candidate on the 
basis of said decrypted vote content. 

12. The electronic voting system of claim 11, wherein: said each 



voter apparatus further comprises an administrator signature 
verification part for verifying the validity of said administrator 
signature for said information containing said encrypted vote content, 
and sends said vote data to said counter apparatus when said 
administrator signature is found valid; and said counter apparatus 
further comprises an administrator signature verification part into 
which said information containing said encrypted vote content in said 
vote data received from said each voter apparatus and said 
administrator signature are input for verifying the validity of said 
administrator signature. 

13. The electronic voting system of claim 11, wherein: said each 
voter apparatus further comprises a voter signature generator for 
generating a voter signature for said preprocessed text and for 
sending it to said administrator apparatus; and said administrator 
apparatus further comprises a voter signature verification part for 
verifying the validity of said preprocessed text received from said 
each voter apparatus and said voter signature therefor, and generates 
said blind signature by said blind signature generator when said 
preprocessed text and said voter signature are found valid. 

14. The electronic voting system of claim 11, wherein: said 
counter apparatus further comprises a vote list generator which, if 
said administrator signature is found valid, generates, as a vote list, a 
list of said vote data received from said each voter apparatus, and 
publishes said vote list to said voter in a manner to be accessible from 
said each voter apparatus; and said each voter apparatus further 
comprises a vote list checker for making a check to see if said 



encrypted vote content of said each voter apparatus is contained in 
said vote list received from said counter apparatus. 

15. The electronic voting system of claim 14, wherein said each 
voter apparatus further comprises: a tag generator for generating a 
tag that only said voter knows; a concatenator for concatenating said 
encrypted vote content with said tag to generate information 
containing said encrypted vote content; and a list checking part for 
extracting said tag from each vote data in said vote list and for 
making a check to see if vote data of said voter is contained in said 
vote list by checking whether said extracted tag is the tag of said 
voter. 

16. The electronic voting system of claim 11, wherein: said 
counter apparatus has a series connection of a plurality of distributed 
counter apparatuses, each placed under the control of a different 
counter; said secret key is split into partial secret keys assigned to 
said plurality of distributed counter apparatuses, respectively; said 
each voter apparatus sends said vote data to that one of said plurality 
of distributed counter apparatuses which is connected to one end of 
said series connection; and said distributed counter apparatuses 
comprise decryption parts for sequentially decrypting information 
containing said encrypted content with said partial secret keys, said 
vote content being obtained by the decryption processing in said 
distributed counter apparatus at the last stage of said series 
connection. 

17. The electronic voting system of claim 11, wherein: said 



counter apparatus has a plurality of distributed counter apparatuses, 
each placed under the control of a different counter; said secret key is 
split into partial secret keys assigned to said plurality of distributed 
counter apparatuses, respectively; said each voter apparatus sends 
said vote data to all of said plurality of distributed counter 
apparatuses; said plurality of distributed counter apparatuses each 
have a decryption part for decrypting said encrypted vote content 
with said partial secret key assigned thereto to generate decrypted 
intermediate data and for sending said decrypted intermediate data 
to a predetermined one of said distributed counter apparatuses; and 
said predetermined distributed counter apparatus has a total 
decryption part for decrypting all of said decrypted intermediate data 
to obtain said vote content. 

18. The electronic voting system of claim 16 or 17, wherein said 
decryption part performs thresholding decryption processing that 
requires a predetermined plural number of said distributed counter 
apparatuses to work together. 

19. A voter apparatus in an electronic voting system which 
comprises a plurality of said voter apparatuses, an administrator 
apparatus connected to each of said voter apparatuses through a 
nonanonymous communication channel, and a counter apparatus 
connected to each of said voter apparatuses through an anonymous 
communication channel, said voter apparatus comprising: 

an encryptor for encrypting a vote content of a voter of said each 
voter apparatus with a public key of said counter apparatus to 
generate an encrypted vote content; 



a random generator for generating a random number; 

a randomizer for randomizing information containing said 
encrypted vote content with said random number to create a 
preprocessed text; 

voter signature generating means for generating a voter 
signature for said preprocessed text; 

means for sending said preprocessed text and said voter 
signature to said administrator apparatus; 

a derandomizer supplied with a blind signature of an 
administrator for said preprocessed text received from said 
administrator apparatus and said random number, for excluding the 
influence of said random number from said administrator blind 
signature to obtain an administrator signature for said information 
containing said encrypted vote content; 

a signature verification part supplied with said administrator 
signature for said encrypted vote content and said information 
containing said encrypted vote content, for verifying the validity of 
said a<toiinistrator signature; 

means for sending said administrator signature and said 
information containing said encrypted vote content, as vote data, to 
said counter apparatus when said administrator signature is found 
valid; and 

a list checking part for making a check to see if vote data of said 
voter is contained in a vote list received from said counter apparatus. 

20. The voter apparatus of claim 19, which further comprises a 
tag generator for generating a tag that only said voter knows, and a 
concatenator for concatenating said encrypted vote content with said 
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tag, and wherein said list checking part extracts said tag from each 
vote data on said vote list received from said counter apparatus and 
makes a check to see if said vote data of said voter is contained in 
said vote list by checking whether said extracted tag is the tag of said 
voter. 

21. A counter apparatus in an electronic voting system which 
comprises a plurality of voter apparatuses, an adrriinistrator 
apparatus connected to each of said voter apparatuses through a 
nonanonymous communication channel, and said counter apparatus 
connected to each of said voter apparatuses through an anonymous 
communication channel, said counter apparatus comprising: 

an administrator signature verification part supplied with 
information containing vote content encrypted by a public key of a 
counter, received as vote data from said each voter apparatus, and an 
administrator signature for information containing said encrypted 
vote content, for verifying the validity of said administrator signature; 

a vote list generator for generating a list of said vote data 
received from said each voter apparatus when said administrator 
signature is found valid and for publishing said list to a voter of said 
each voter apparatus in a manner to be accessible therefrom; 

a decryptor for decrypting said information containing said 
encrypted vote content with a secret key corresponding to said public 
key to obtain the vote content of said voter; and 

counter means for counting the number of votes polled for each 
candidate on the basis of said decrypted vote content. 

22. The counter apparatus of claim 21, which further comprises a 



series connection of a plurality of distributed counter apparatuses, 
each placed under the control of a different counter, and wherein: said 
secret key is split into partial secret keys assigned to said plurality of 
distributed counter apparatuses, respectively; said vote data sent 
from said each voter apparatus is received by that one of said 
plurality of distributed counter apparatuses which is connected to one 
end of said series connection; said distributed counter apparatuses 
have partial decryption parts for sequentially decrypting information 
containing said encrypted content with said partial secret keys, and 
said vote content is obtained by the decryption process of said partial 
decryption part in said distributed counter apparatus at the last stage 
of said series connection. 

23. The counting apparatus of claim 21, which further comprises 
a plurality of distributed counter apparatuses, each placed under the 
control of a different counter, and wherein: said secret key is split into 
partial secret keys assigned to said plurality of distributed counter 
apparatuses, respectively; said plurality of distributed counter 
apparatuses each have a partial decryption part for decrypting said 
encrypted vote content with said partial secret key assigned thereto 
to generate decrypted intermediate data and for sending said 
decrypted intermediate data to a predetennined one of said 
distributed counter apparatuses; and said predetennined distributed 
counter apparatus has a total decryption part for decrypting all of 
said decrypted intermediate data to obtain said vote content. 

24. The counter apparatus of claim 22 or 23, wherein said partial 
decryption part performs thresholding decryption processing that 
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requires a predetermined plural number of said distributed counter 
apparatuses to work together. 

25. A recording medium having recorded thereon a program for 
executing, by a computer, a procedure of a voter apparatus in an 
electronic voting system which comprises a plurality of said voter 
apparatuses, an adrninistrator connected to each of said plurality of 
voter apparatuses through a nonanonymous communication channel, 
and a counter apparatus connected to said each vote apparatus 
through an anonymous communication channel, said procedure 
comprising the steps of: 

(a) encrypting a vote content of an each voter with a public key 
of said counter apparatus to generate an encrypted content; 

(b) generating a random number; 

(c) randomizing information containing said encrypted vote 
content with said random number to generate a preprocessed text; 

(d) generating a signature for said preprocessed text; 

(e) sending said preprocessed text and said signature to said 
administrator; 

(f) excluding, with said random number, the influence of said 
random number from a blind signature of an administrator for said 
preprocessed text received from said administrator apparatus to 
thereby obtain signature of said administrator for said information 
containing said encrypted vote content; 

(g) verifying the validity of said information containing said 
encrypted vote content; 

(h) sending said information containing said encrypted vote 
content and said administrator signature, as vote data to said counter 
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apparatus if said information containing said encrypted vote content 
is found valid; and 

(i) making a check to see if vote data of said each voter is 
contained in a vote list received from said counter apparatus. 

26. The recording medium of claim 25, wherein: said procedure 
comprises the additional steps of generating a tag that only said each 
voter knows, and concatenating said encrypted vote content with said 
tag to generate said information containing said encrypted vote 
content; and said step (i) comprises the additional step of extracting 
said tag from each vote data on said vote list received from said 
counter apparatus and making a check to see if said vote data of said 
each voter is contained in said vote list by checking whether said 
extracted tag is the tag of said each voter. 

2 7. A recording medium having recorded thereon a program for 
executing, by a computer, a procedure of a counter apparatus in an 
electronic voting system which comprises a plurality of voter 
apparatuses, an administrator connected to each of said plurality of 
voter apparatuses through a nonanonymous communication channel, 
and said counter apparatus connected to said each vote apparatus 
through an anonymous communication channel, said procedure 
comprising the steps of: 

(a) receiving, as vote data, from each of said vote apparatuses 
information containing a vote content of each voter encrypted with a 
public key of said counter apparatus and an adrninistrator signature 
for said information and verifying the validity of said administrator 
signature; 
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(b) generating, as a vote list, a list of said vote data received from 
said each voter apparatus, if said administrator is found valid, and 
publishing said vote list in the form accessible by said each voter; 

(c) decrypting said information containing said encrypted vote 
content with a secret key corresponding to said public key to obtain 
the vote content of said each voter; and 

(d) counting the number of votes polled for each candidate on the 
basis of said decrypted vote content. 

28. The recording medium of claim 27, wherein: said counter 
apparatus has a series connection of a plurality of distributed counter 
apparatuses, each placed under the control of a different counter; said 
secret key is split into partial secret keys assigned to said plurality of 
distributed counter apparatuses, respectively; said step (c) comprises 
the additional step of receiving said vote data sent from said each 
voter apparatus by that one of said plurality of distributed counter 
apparatuses which is connected to one end of said series connection, 
and sequentially performing partial decryption processes of said 
information containing said encrypted vote content by said 
distributed counter apparatuses with said partial secret keys assigned 
thereto, respectively; and said vote content is obtained by said partial 
decryption process in said distributed counter apparatus at the last 
stage of said series connection. 

29. The recording medium of claim 27, wherein: said counter 
apparatus has a plurality of distributed counter apparatuses, each 
placed under the control of a different counter; said secret key is split 
into partial secret keys, which are assigned to said plurality of 
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distributed counter apparatuses, respectively; said step (c) comprises 
the additional steps of receiving said vote data from all of said voter 
apparatuses by each of said plurality of distributed counter 
apparatuses, then encrypting said encrypted vote content with said 
partial secret key assigned to said each distributed counter apparatus 
to generate decrypted intermediate data, then sending said decrypted 
intermediate data to said predetermined distributed counter 
apparatus, and performing, by said predetermined distributed 
counter apparatus, total decryption processing of all of said decrypted 
intermediate data sent thereto to thereby obtain said vote content. 

30. The recording medium of claim 28 or 29, wherein said step 
(e) is a step of performing thresholding partial decryption processing 
that requires a predetermined plural number of said distributed 
counter apparatuses to work together. 



-44- 



ABSTRACT OF THE DISCLOSURE 



A voter Vj encrypts his vote content Vj with a public key k PC of a 
counter C, then concatenates the encrypted vote content Xj with a tag 
tj to obtain a ballot z h then randomizes it with a random number rj to 
create a preprocessed text e h and sends it and a signature s { therefor 
to an election administrator A. The administrator A generates a blind 
signature dj for the preprocessed text ej and sends it back to the voter 
Vj. The voter Vj excludes the influence of the random number r i from 
the blind signature di to obtain administrator signature y h and sends 
vote data <z A , Vj>to a counter C. The counter C verifies the validity of 
the administrator signature y i and, if valid, generates and publishes a 
vote list containing the data <z { , Vj>to the voter Vj. The voter Vj 
checks the vote list to make sure that it contains the data <z u y^with 
his tag ti held in the ballot z { . The counter C decrypts the encrypted 
vote content x { in the ballot Zj to obtain the vote content v i5 and 
counts the number of votes polled for each candidate. 
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